CN111611555A - Physical layer authorization and access method and device - Google Patents
Physical layer authorization and access method and device Download PDFInfo
- Publication number
- CN111611555A CN111611555A CN202010427933.4A CN202010427933A CN111611555A CN 111611555 A CN111611555 A CN 111611555A CN 202010427933 A CN202010427933 A CN 202010427933A CN 111611555 A CN111611555 A CN 111611555A
- Authority
- CN
- China
- Prior art keywords
- access
- target data
- user
- account
- physical layer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the disclosure provides a physical layer authorization method, a physical layer access method and a physical layer authorization device, which relate to the technical field of cloud computing data security, wherein the physical layer authorization method comprises the following steps: acquiring user information of a user to be authorized, and binding the access authority of the user to be authorized to target data located in a physical layer; according to an account creation rule, creating an access account under the target data based on the user information; storing the mapping relation between the access account and the target data in a logic layer; and authorizing the target data to the access account at a physical layer, so that the problem of poor safety in the current data access authority control can be solved.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a physical layer authorization and access method and device.
Background
With the rapid development of database technology, the requirements for data security are higher and higher. At present, the authority control for data source physical layer data access is mostly controlled only by a logic layer, and is realized by setting the mapping relation of the authority in the logic layer and inquiring whether the corresponding accessible mapping relation exists during user access.
The above logic layer controls the data access authority, and essentially, the user really operates the data through the pre-configured administrator account of the database, and the pre-configured administrator account has great operation authority. If the user bypasses the logic layer authority control, the hidden danger of exposing the data of the whole database exists, the risk is high, and therefore the existing data access authority control has the problem of poor safety.
Disclosure of Invention
The invention aims to provide a physical layer authorization and access method and a physical layer authorization and access device so as to solve the problem of poor security of the current data access authority control.
In a first aspect, the present invention provides a physical layer authorization method, applied to a logical layer of a database, where the physical layer authorization method includes:
acquiring user information of a user to be authorized, and binding the access authority of the user to be authorized to target data located in a physical layer;
according to an account creation rule, creating an access account under the target data based on the user information;
storing the mapping relation between the access account and the target data in a logic layer;
and authorizing the target data to the access account at a physical layer.
In a possible implementation manner, before the step of creating an access account under the target data based on the user information according to the account creation rule, the method further includes:
judging whether an access account corresponding to the user information exists under the target data;
and if not, executing the step of creating the access account under the target data based on the user information according to the account creation rule.
In a possible implementation manner, after the step of creating an access account under the target data based on the user information according to the account creation rule, the method further includes:
judging whether the access account exists under the target data or not;
if not, the access account is established to a physical layer;
if yes, modifying the random characters in the access account, and returning to the step of judging whether the access account exists under the target data.
In a second aspect, the present invention further provides a physical layer access method applied to a logical layer of a database, where the physical layer access method includes:
acquiring user information of a visiting user;
judging whether the visiting user has the access authority of the target data or not according to the user information;
if so, acquiring an access account under the target data according to the user information, and enabling the visiting user to access the target data through the access account.
In one possible implementation manner, after the step of obtaining the user information of the visiting user, the method further includes:
judging whether the visiting user is a new user or not according to the user information;
if not, updating the access authority of the visiting user to the target data;
if yes, the step of judging whether the visiting user has the access right of the target data according to the user information is executed.
In one possible implementation manner, the step of updating the access right of the visiting user to the target data includes:
inquiring the existing access right of the visiting user to the target data;
and if the existing access right is not empty, deleting the existing access right and updating the access right of the visiting user to the target data.
In one possible implementation, the access rights include at least one of selection, modification, insertion, and deletion.
In a third aspect, the present invention further provides a physical layer authorization apparatus, applied to a logical layer of a database, where the physical layer authorization apparatus includes:
the binding module is used for acquiring the user information of a user to be authorized and binding the access authority of the user to be authorized on the target data positioned on the physical layer;
the creating module is used for creating an access account under the target data based on the user information according to an account creating rule;
the storage module is used for storing the mapping relation between the access account and the target data in a logic layer;
and the authorization module is used for authorizing the target data to the access account at a physical layer.
In one possible implementation, the creating module is further configured to:
judging whether an access account corresponding to the user information exists under the target data;
and if not, creating an access account under the target data based on the user information according to an account creation rule.
In one possible implementation, the creating module is further configured to:
judging whether the access account exists under the target data or not;
if not, the access account is established to a physical layer;
if so, modifying the random characters in the access account, and judging whether the access account exists under the target data again.
In a fourth aspect, the present invention further provides a physical layer access apparatus, applied to a logical layer of a database, where the physical layer access apparatus includes:
the acquisition module is used for acquiring the user information of the visiting user;
the judging module is used for judging whether the visiting user has the access authority of the target data or not according to the user information; if so, acquiring an access account under the target data according to the user information, and enabling the visiting user to access the target data through the access account.
In one possible implementation, the physical layer access device further includes an update module;
the judging module is further configured to:
judging whether the visiting user is a new user or not according to the user information;
if not, the updating module updates the access authority of the visiting user to the target data;
if yes, judging whether the visiting user has the access right of the target data according to the user information.
In a possible implementation manner, the update module is specifically configured to:
inquiring the existing access right of the visiting user to the target data;
and if the existing access right is not empty, deleting the existing access right and updating the access right of the visiting user to the target data.
In one possible implementation, the access rights include at least one of selection, modification, insertion, and deletion.
In a fifth aspect, the present invention also provides a computer readable storage medium having stored thereon machine executable instructions which, when invoked and executed by a processor, cause the processor to carry out the method described above.
By adopting the physical layer authorization method provided by the embodiment of the invention, after the access authority of the target data of the physical layer is bound, the access account under the target data is created for the user to be authorized, and the mapping relation between the access account and the target data is stored in the logic layer, wherein the access account is a special account and can only be used for accessing the target data. When a user accesses the physical layer data of the data source, the physical layer access method provided by the embodiment of the invention is adopted, and the visiting user can access the target data through the access account after judging whether the visiting user has the access authority of the target data. Therefore, except for the authority control of the logic layer on the visiting user, when the visiting user carries out data interaction with the target data of the physical layer, the visiting user also uses the own special account number to carry out data interaction, and the special account number only can access the data with the authority mapping relation, so that the control of the access authority of the physical layer is realized by using the account number system of the database, namely, the persistence of data authority management is realized, the hidden danger that the data of the whole database is exposed due to the overlarge account authority of an administrator is also avoided, and the problem of poor safety in the current data access authority control is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a physical layer authorization method according to an embodiment of the present invention;
fig. 2 is a flowchart of a physical layer access method according to an embodiment of the present invention;
fig. 3 is a flowchart of another physical layer authorization method according to an embodiment of the present invention;
fig. 4 is a flowchart of another physical layer access method according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a physical layer authorization apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a physical layer access device according to an embodiment of the present invention;
fig. 7 is a schematic diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "comprising" and "having," and any variations thereof, as referred to in the embodiments of the present application, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements but may alternatively include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
At present, the authority control for data source physical layer data access is mostly controlled only by a logic layer, and is realized by setting the mapping relation of the authority in the logic layer and inquiring whether the corresponding accessible mapping relation exists during user access. For example: the user testUser wants to access the physical layer data of the testTable under the testDb library under the mysql database, sets the mapping relation of testUser-mysql./testDb/testTable through the logic layer, when the user testUser accesses the mysql./testDb/testTable, the logic layer inquires that the mapping relation exists, and the user testUser can directly access or operate the physical layer data of the mysql./testDb/testTable.
The above logic layer controls the data access authority, and essentially, the user really operates the data through the pre-configured administrator account of the database, and the pre-configured administrator account has great operation authority. If the user bypasses the logic layer authority control, the hidden danger of exposing the data of the whole database exists, the risk is high, and therefore the existing data access authority control has the problem of poor safety.
The embodiment of the invention provides a physical layer authorization method which can be applied to a logic layer of a database. As shown in fig. 1, the physical layer authorization method includes the following steps:
s101: and acquiring the user information of the user to be authorized, and binding the access authority of the user to be authorized to the target data positioned in the physical layer.
The logic layer firstly obtains the user information of the user to be authorized, and then binds the access authority of the user to be authorized to the target data. Wherein, the access authority is one or more of selection, modification, insertion and deletion (SELECT, UPDATE, INSERT and DELETE).
S102: and according to the account creation rule, creating an access account under the target data based on the user information.
The account creation rules are preset in the logic layer, for example, the user name of the access account can be a partial field of the user information + the target data identification + a random character, and the password of the access account is a randomly generated character.
S103: and storing the mapping relation between the access account and the target data at a logic layer.
And after a special access account is created for the user to be authorized, storing the mapping relation between the access account and the target data so as to be inquired and called when the user accesses the target data.
S104: the target data is authorized to the access account at the physical layer.
And authorizing the target data to the access account at a physical layer according to the mapping relation between the access account and the target data, so that the user can smoothly access the target data.
Correspondingly, the embodiment of the invention also provides a physical layer access method which is also applied to the logical layer of the database. As shown in fig. 2, the physical layer access method includes the steps of:
s201: user information of a visiting user is acquired.
When a user needs to access the physical layer data, the logic layer first acquires the user information of the visiting user.
S202: and judging whether the visiting user has the access right of the target data or not according to the user information.
And the logic layer inquires whether the visiting user has the access right of the target data or not according to the user information of the visiting user. If the visiting user has the access right, executing the step S203; if the visiting user has no access right, the visiting is ended.
S203: and acquiring an access account under the target data according to the user information, so that the visiting user can access the target data through the access account.
And the logic layer acquires a pre-established special access account according to the user information, so that the visiting user can access and operate the target data of the physical layer by using the special access account. And, the access account can only access and operate on the target data, but can not access and operate on all data of the physical layer.
By adopting the physical layer authorization method provided by the embodiment of the invention, after the access authority of the target data of the physical layer is bound, the access account under the target data is created for the user to be authorized, and the mapping relation between the access account and the target data is stored in the logic layer, wherein the access account is a special account and can only be used for accessing the target data. When a user accesses the physical layer data of the data source, the physical layer access method provided by the embodiment of the invention is adopted, and the visiting user can access the target data through the access account after judging whether the visiting user has the access authority of the target data. Therefore, except for the authority control of the logic layer on the visiting user, when the visiting user carries out data interaction with the target data of the physical layer, the visiting user also uses the own special account number to carry out data interaction, and the special account number only can access the data with the authority mapping relation, so that the control of the access authority of the physical layer is realized by using the account number system of the database, namely, the persistence of data authority management is realized, the hidden danger that the data of the whole database is exposed due to the overlarge account authority of an administrator is also avoided, and the problem of poor safety in the current data access authority control is solved.
The embodiment of the invention also provides another implementation mode of the physical layer authorization method. As shown in fig. 3, the physical layer authorization method includes the following steps:
s301: and binding the access authority of the target data positioned in the physical layer, and acquiring the user information of the user to be authorized.
When a user needs to obtain the access right of the data of the physical layer, the logic layer firstly obtains user information of a user to be authorized, such as a user name testUser of the user to be authorized, and then binds the access right of the user to be authorized to the target data. For example, if a user testUser to be authorized wants to access the physical layer data of the testtable table in the testDb library under the mysql database, the testUser is bound to the mapping relationship mysql./testDb/testtable.
S302: and judging whether an access account corresponding to the user information exists under the target data.
The purpose of this step is to determine whether the same to-be-authorized user has obtained the access right of the target data, that is, a dedicated access account has been created. If not, go to step S303; if yes, the authorization process is ended.
S303: and according to the account creation rule, creating an access account under the target data based on the user information.
The account creation rule is preset in the logic layer, the user name of the access account can be a partial field of the user information + the target data identification + a random character, and the password of the access account is a randomly generated character. For example, a user testUser wants to access the physical layer data of the testtable table in the testDb library in the mysql database, the user name of the access account is created as UserTable1234, and a password composed of random characters is generated.
S304: and judging whether an access account exists under the target data.
Since the same target data may be authorized for multiple users, it is necessary to query whether the user name UserTable1234 is already occupied by other users. If yes, go to step S305; if not, step S306 is performed.
S305: the random character in the access account is modified.
If the user name UserTable1234 is already occupied by other users, the user name of the private access account of the testUser to be authorized needs to be changed. The user name UserTable1234 includes a fixed character generated according to the account creation rule and also includes a random character generated randomly, so that the random character portion in the user name UserTable1234, that is, "1234" in the user name UserTable1234, can be modified to replace the new user name. For example, after the random character is generated again, the user name is changed to UserTable 4567. Then returning to step S304, it is determined whether UserTable4567 is already occupied by other users.
S306: an access account is created to the physical layer.
If the user name UserTable1234 of the access account is not occupied by other users, the user name and password of the access account are created to the physical layer, so that the user can access and operate the target data of the physical layer by using the access account later.
S307: and storing the mapping relation between the access account and the target data.
After a special access account is created for a user to be authorized, storing a mapping relation testUser-mysql./testDb/testTable between the access account and target data for inquiring and calling when the user accesses the target data.
S308: the target data is authorized to the access account at the physical layer.
According to the mapping relation testUser-mysql./testDb/testTable between the previously bound access account and the target data, the target data is authorized to the access account in the physical layer, so that the user can smoothly access the target data of the testTable table in the testDb library under the mysql database.
The embodiment of the invention also provides another implementation mode of the physical layer access method. As shown in fig. 4, the physical layer access method includes the steps of:
s401: user information of a visiting user is acquired.
When a user needs to access the physical layer data, the logic layer first acquires the user information of the visiting user. For example, the visiting user testUser wants to access the physical layer data of the testTable table under the testDb library under the mysql database, and the logic layer acquires the user name testUser of the visiting user.
S402: and judging whether the visiting user is a new user or not according to the user information.
If the testUser is not the newly added visiting user, the access authority of the testUser to the target data needs to be updated, and step S403 is executed; if the testUser is a newly added visiting user, step S405 is performed. Wherein the access rights may generally include one or more of selection, modification, insertion, deletion.
In this embodiment, updating the access right of the visiting user to the target data mainly includes the following steps S403 and S404.
S403: and inquiring the existing access right of the visiting user to the target data.
If the existing access right is not null, executing step S404; if the existing access right is empty, the updating of the access right is finished, and step S405 is executed.
S404: and deleting the existing access right, and updating the access right of the visiting user to the target data.
For example, if the existing access right of the user testUser is selection and modification, the selection and modification right is deleted, and then the access right of the user testUser is updated to modification and insertion. By updating the access right of the visiting user in the steps S403 and S404, it is achieved that the access right of the visiting user in the corresponding physical layer data can be synchronously changed when the authorization relationship of the logical layer changes.
S405: and judging whether the visiting user has the access right of the target data or not according to the user information.
The logic layer inquires whether the testUser of the visiting user has the access right of the target data mysql./testDb/testTable or not according to the user information of the visiting user. If the visiting user testUser has the access right, executing step S406; and if the visiting user testUser has no access right, ending the access.
S406: and acquiring an access account under the target data according to the user information, so that the visiting user can access the target data through the access account.
And the logic layer acquires a user name UserTable1234 and a password of a pre-created special access account according to the user information, so that the visiting user testUser can access and operate the target data of the physical layer by using the special access account. Moreover, the access account UserTable1234 can only access and operate on the target data, but cannot access and operate on all data of the physical layer.
By adopting the physical layer authorization method and the physical layer access method provided by the embodiment, the account system of the database is utilized to realize the control of the physical layer access authority, namely, the persistence of the data authority management is realized, the hidden danger that the data of the whole database is exposed due to the overlarge account authority of an administrator is avoided, and the problem of poor safety in the conventional data access authority control is solved.
The embodiment of the invention also provides a physical layer authorization device which is applied to the logical layer of the database. As shown in fig. 5, the physical layer authorization apparatus includes:
a binding module 501, configured to bind an access right of target data located in a physical layer, and obtain user information of a user to be authorized;
a creating module 502, configured to create an access account under the target data based on the user information according to the account creation rule;
a saving module 503, configured to save, in the logic layer, a mapping relationship between the access account and the target data;
an authorization module 504 for authorizing the target data to the access account at a physical layer.
In an implementation manner, the physical layer authorization apparatus provided in the embodiment of the present invention further includes:
the first determining module 505 is configured to determine whether an access account corresponding to the user information exists under the target data.
A second determination module 506, configured to determine whether an access account exists under the target data. If not, the access account is established to the physical layer; if so, the random character in the access account is modified.
The embodiment of the invention also provides a physical layer access device which is applied to the logical layer of the database. As shown in fig. 6, the physical layer access device includes:
an obtaining module 601, configured to obtain user information of a visiting user;
a judging module 602, configured to judge whether a visiting user has an access right to target data according to user information; if so, acquiring an access account under the target data according to the user information, and enabling the visiting user to access the target data through the access account.
In an implementation manner, the physical layer access apparatus provided in an embodiment of the present invention further includes:
an updating module 603, configured to determine whether the visiting user is a new user according to the user information. And if not, updating the access authority of the visiting user to the target data.
Because the physical layer authorization apparatus and the physical layer access apparatus provided in the embodiments of the present invention have corresponding technical features to the physical layer authorization method and the physical layer access method provided in the embodiments, the same technical problems can be solved, and the same technical effects can be achieved.
As shown in fig. 7, an electronic device 700 provided in an embodiment of the present application includes a memory 701 and a processor 702, where the memory stores a computer program that is executable on the processor, and the processor implements the steps of the method provided in the foregoing embodiment when executing the computer program.
As shown in fig. 7, the electronic device further includes: a bus 703 and a communication interface 704, and the processor 702, the communication interface 704, and the memory 701 are connected by the bus 703; the processor 702 is configured to execute executable modules, such as computer programs, stored in the memory 701.
The Memory 701 may include a high-speed Random Access Memory (RAM), and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 704 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used.
Bus 703 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 7, but this does not indicate only one bus or one type of bus.
The memory 701 is used for storing a program, the processor 702 executes the program after receiving an execution instruction, and the method performed by the apparatus defined by the process disclosed in any of the foregoing embodiments of the present application may be applied to the processor 702, or implemented by the processor 702.
The processor 702 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 702. The Processor 702 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 701, and the processor 702 reads the information in the memory 701, and completes the steps of the method in combination with the hardware thereof.
Corresponding to the real-time data processing method, the embodiment of the present application further provides a computer readable storage medium, where the computer readable storage medium stores machine executable instructions, and when the computer executable instructions are called and executed by a processor, the computer executable instructions cause the processor to execute the steps of the real-time data processing method.
The real-time data processing device provided by the embodiment of the application can be specific hardware on the device, or software or firmware installed on the device, and the like. The device provided by the embodiment of the present application has the same implementation principle and technical effect as the foregoing method embodiments, and for the sake of brief description, reference may be made to the corresponding contents in the foregoing method embodiments where no part of the device embodiments is mentioned. It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the foregoing systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
For another example, the division of the unit is only one division of logical functions, and there may be other divisions in actual implementation, and for another example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided in the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the real-time data processing method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the scope of the embodiments of the present application. Are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (15)
1. A physical layer authorization method is applied to a logical layer of a database, and comprises the following steps:
acquiring user information of a user to be authorized, and binding the access authority of the user to be authorized to target data located in a physical layer;
according to an account creation rule, creating an access account under the target data based on the user information;
storing the mapping relation between the access account and the target data in a logic layer;
and authorizing the target data to the access account at a physical layer.
2. The method of claim 1, further comprising, prior to the step of creating an access account under the target data based on the user information according to an account creation rule:
judging whether an access account corresponding to the user information exists under the target data;
and if not, executing the step of creating the access account under the target data based on the user information according to the account creation rule.
3. The method of claim 1, wherein the step of creating an access account under the target data based on the user information according to the account creation rule further comprises:
judging whether the access account exists under the target data or not;
if not, the access account is established to a physical layer;
if yes, modifying the random characters in the access account, and returning to the step of judging whether the access account exists under the target data.
4. A physical layer access method applied to a logical layer of a database, the physical layer access method comprising:
acquiring user information of a visiting user;
judging whether the visiting user has the access authority of the target data or not according to the user information;
if so, acquiring an access account under the target data according to the user information, and enabling the visiting user to access the target data through the access account.
5. The method of claim 4, further comprising, after the step of obtaining the user information of the visiting user:
judging whether the visiting user is a new user or not according to the user information;
if not, updating the access authority of the visiting user to the target data;
if yes, the step of judging whether the visiting user has the access right of the target data according to the user information is executed.
6. The method of claim 5, wherein the step of updating the access right of the visiting user to the target data comprises:
inquiring the existing access right of the visiting user to the target data;
and if the existing access right is not empty, deleting the existing access right and updating the access right of the visiting user to the target data.
7. The method of claim 4, wherein the access rights comprise at least one of selection, modification, insertion, and deletion.
8. A physical layer authorization apparatus applied to a logical layer of a database, the physical layer authorization apparatus comprising:
the binding module is used for acquiring the user information of a user to be authorized and binding the access authority of the user to be authorized on the target data positioned on the physical layer;
the creating module is used for creating an access account under the target data based on the user information according to an account creating rule;
the storage module is used for storing the mapping relation between the access account and the target data in a logic layer;
and the authorization module is used for authorizing the target data to the access account at a physical layer.
9. The apparatus of claim 8, wherein the creation module is further configured to:
judging whether an access account corresponding to the user information exists under the target data;
and if not, creating an access account under the target data based on the user information according to an account creation rule.
10. The apparatus of claim 8, wherein the creation module is further configured to:
judging whether the access account exists under the target data or not;
if not, the access account is established to a physical layer;
if so, modifying the random characters in the access account, and judging whether the access account exists under the target data again.
11. A physical layer access device applied to a logical layer of a database, the physical layer access device comprising:
the acquisition module is used for acquiring the user information of the visiting user;
the judging module is used for judging whether the visiting user has the access authority of the target data or not according to the user information; if so, acquiring an access account under the target data according to the user information, and enabling the visiting user to access the target data through the access account.
12. The apparatus of claim 11, further comprising an update module;
the judging module is further configured to:
judging whether the visiting user is a new user or not according to the user information;
if not, the updating module updates the access authority of the visiting user to the target data;
if yes, judging whether the visiting user has the access right of the target data according to the user information.
13. The apparatus of claim 12, wherein the update module is specifically configured to:
inquiring the existing access right of the visiting user to the target data;
and if the existing access right is not empty, deleting the existing access right and updating the access right of the visiting user to the target data.
14. The apparatus of claim 11, wherein the access rights comprise at least one of selection, modification, insertion, and deletion.
15. A computer readable storage medium having stored thereon machine executable instructions which, when invoked and executed by a processor, cause the processor to execute the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010427933.4A CN111611555B (en) | 2020-05-19 | 2020-05-19 | Physical layer authorization and access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010427933.4A CN111611555B (en) | 2020-05-19 | 2020-05-19 | Physical layer authorization and access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111611555A true CN111611555A (en) | 2020-09-01 |
| CN111611555B CN111611555B (en) | 2023-06-16 |
Family
ID=72204941
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010427933.4A Active CN111611555B (en) | 2020-05-19 | 2020-05-19 | Physical layer authorization and access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111611555B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116305175A (en) * | 2022-11-10 | 2023-06-23 | 合芯科技有限公司 | Account authority configuration method, device, equipment and storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20080098304A (en) * | 2007-11-05 | 2008-11-07 | 김용규 | Method for management of database access control and protection of database access account |
| US20090089681A1 (en) * | 2003-03-05 | 2009-04-02 | Srinivasu Gottipati | Method and system for controlling access to database information |
| CN103902919A (en) * | 2012-12-24 | 2014-07-02 | 北大方正集团有限公司 | Method and device for recovering login information |
| US20140337384A1 (en) * | 2013-05-08 | 2014-11-13 | Sap Ag | Modeled Authorization Check Implemented with UI Framework |
| US20150242531A1 (en) * | 2014-02-25 | 2015-08-27 | International Business Machines Corporation | Database access control for multi-tier processing |
| CN106649772A (en) * | 2016-12-27 | 2017-05-10 | 上海上讯信息技术股份有限公司 | Method and equipment for accessing data |
| US20170132401A1 (en) * | 2015-11-06 | 2017-05-11 | Sap Se | Data access rules in a database layer |
| CN107403106A (en) * | 2017-07-18 | 2017-11-28 | 北京计算机技术及应用研究所 | Database fine-grained access control method based on terminal user |
-
2020
- 2020-05-19 CN CN202010427933.4A patent/CN111611555B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090089681A1 (en) * | 2003-03-05 | 2009-04-02 | Srinivasu Gottipati | Method and system for controlling access to database information |
| KR20080098304A (en) * | 2007-11-05 | 2008-11-07 | 김용규 | Method for management of database access control and protection of database access account |
| CN103902919A (en) * | 2012-12-24 | 2014-07-02 | 北大方正集团有限公司 | Method and device for recovering login information |
| US20140337384A1 (en) * | 2013-05-08 | 2014-11-13 | Sap Ag | Modeled Authorization Check Implemented with UI Framework |
| US20150242531A1 (en) * | 2014-02-25 | 2015-08-27 | International Business Machines Corporation | Database access control for multi-tier processing |
| US20170132401A1 (en) * | 2015-11-06 | 2017-05-11 | Sap Se | Data access rules in a database layer |
| CN106649772A (en) * | 2016-12-27 | 2017-05-10 | 上海上讯信息技术股份有限公司 | Method and equipment for accessing data |
| CN107403106A (en) * | 2017-07-18 | 2017-11-28 | 北京计算机技术及应用研究所 | Database fine-grained access control method based on terminal user |
Non-Patent Citations (1)
| Title |
|---|
| 潘登: "基于SQL Server数据库安全策略", 《计算机光盘软件与应用》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116305175A (en) * | 2022-11-10 | 2023-06-23 | 合芯科技有限公司 | Account authority configuration method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111611555B (en) | 2023-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2456663C2 (en) | Progressive boot strap loading for wireless device | |
| CN109815680B (en) | Application authority management method and device, terminal equipment and storage medium | |
| CN106843978B (en) | SDK access method and system | |
| CN109445902B (en) | Data operation method and system | |
| CN110262872B (en) | Load balancing application management method and device, computer equipment and storage medium | |
| US10158990B2 (en) | SMS message reading control method and terminal | |
| CN108776587B (en) | Data acquisition method and device, computer equipment and storage medium | |
| CN111124480B (en) | Method and device for generating application program package, electronic equipment and storage medium | |
| CN111177703B (en) | Method and device for determining data integrity of operating system | |
| CN111611555A (en) | Physical layer authorization and access method and device | |
| CN111694992A (en) | Data processing method and device | |
| CN109145621A (en) | Document management method and device | |
| CN115712918A (en) | File protection method based on Linux system and electronic equipment | |
| CN115208671B (en) | Firewall configuration method, device, electronic equipment and storage medium | |
| CN113076086B (en) | Metadata management system and method for modeling model object using the same | |
| CN111367519A (en) | Page part using method and device, computing equipment and computer storage medium | |
| CN114048194A (en) | Data management method and device and electronic equipment | |
| CN113986858A (en) | Linux compatible android system shared file operation method and device | |
| CN114115933A (en) | Method, system, device, electronic equipment and medium for software upgrading | |
| CN106991336B (en) | File management method and device | |
| CN108363614B (en) | Application service module management method and device and server | |
| CN112749159A (en) | Form generation method and device, electronic equipment and storage medium | |
| CN105808318B (en) | Information processing method and electronic equipment | |
| CN112417428A (en) | Configuration method of user permission, and service resource access method and device | |
| EP4202675A1 (en) | Information processing device, information processing method, and information processing program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |